UPDATED Many versions of SWFUpload – an applet that combines Flash and JavaScript that’s used in millions of websites, including WordPress sites– are vulnerable to content spoofing and a cross-site scripting vulnerability that could lead to the takeover of accounts, according to reports this week.
According to a recent post on Full Disclosure, applications that use versions 2.2.0.1 and older of SWFUpload are vulnerable. This includes old versions of WordPress, builds 2.7–3.3.1 in particular, along with versions of content management systems like Dotclear, InstantCMS, AionWeb, Dolphin, SwfUploadPanel for TYPO3 CMS, along with the Archiv plugin for TinyMCE, Liferay Portal, SWFUpload for Drupal, Codeigniter and SentinelleOnAir, according to the warning.
SWFUpload is stable, according to a description on Google Code, but isn’t actively developed anymore. The tool works in tandem with Adobe’s Flash Player to simplify uploading multiple, queued files, among other functions.
According to the SecLists warning, old versions of swfupload.swf and alternately titled versions like swfupload_f9.swf, swfupload_f8.swf, swfupload_f10.swf and swfupload_f11.swf are vulnerable while versions of swfupload.swf bundled with WordPress 3.3.2 and higher are safe.
In an email to Threatpost on Tuesday, DotClear’s project manager Franck Paul wrote that a fix for the flaw is already in the pipeline. The next version of the open-source web publishing software (2.5) should hit in a few days and include a new swfupload.swf that will fix the potential SWFUpload XSS vulnerability.
“We heard about this yesterday evening and we committed a patch this morning,” wrote Paul.
XenForo, a British company that makes community forum software, meanwhile claims it acknowledged the problem last summer, patching the issue with a new version of swfupload.swf in June with XenForo 1.1.3.
WordPress fixed the last major issue with SWFUpload last April when it pushed version 3.3.2 of its popular blogging platform. That build addressed a seemingly separate XSS issue (CVE-2012-3414) discovered that spring by Brown University students Neal Poole and Nathan Partlan.
It’s unclear at this time if the XSS and content spoofing issues are related, yet the author of the Full Disclosure post insists these are leftover from November and have not been fixed yet.
When reached Tuesday, WordPress confirmed that it has no direct relationship with SFWUpload and that version 3.3.2 of WordPress featured a fix for this issue made by members of the WordPress.org Security Team.